Reg Harnish, CEO of GreyCastle Security, Renee Walrath, Founder of Walrath Recruiting
From the ever-growing Internet of Things to the rising implementation of automation and artificial intelligence, perpetual advancements in technology have provided us with a new level of convenience.
But, not without a price.
A war is being fought everyday right under our noses, literally. The computers and electronic devices that demand our constant attention are under attack and we don't have the resources yet to protect ourselves. But before we can ever expect to win this war, there must be a paradigm shift in our culture that elevates the importance of cybersecurity to the same level as physical security.
We will get there.
But it will take at least another decade or a series of catastrophic breaches before we, as society, begin to think about cybersecurity in the same way we do locking our doors, hiding our valuables or avoiding dark alleys.
What's holding the industry back? Several things, including an unprecedented skills gap that is growing daily. As many as 3.5 million cybersecurity jobs will be vacant by 2021, according to the 2017 Cybersecurity Ventures report released last month. Simultaneously, global annual cybercrime costs are also growing, at a clip that's expected to reach $6 trillion annually by 2021, according to the report.
If the same void were present in the medical field, a state of emergency would be declared. The truth is, however, the cybersecurity industry is in a state of emergency.
It's clear that the industry, and the nation as a whole, needs to be doing more to attract talent and shrink the cybersecurity skills gap. While there is work being done, many of the initiatives in place or proposed will take years before they make a dent in the problems that face us now.
In the meantime, Americans still have businesses to run. For those who can't wait for the industry to catch up to our black hat adversaries, here are three ways to close the skills gap in your organization right now:
Identify the right talent: Cybersecurity is a generalized practice of managing risks and, contrary to popular belief, not all of the risks are technology based. Cybersecurity has as much to do with IT as it does with finance, human resources, facilities or any other department. Yet most of us still consider it a technology issue. We're also seeing that students are graduating with great degrees, but no social skills. That makes them unprepared to work in the cybersecurity industry.
Instead of focusing solely on finding talent with the “right” technical experience, companies should be looking for employees with strong social skills. Individuals who not only exhibit confident body language, have a firm handshake and make consistent eye contact, but also know how to navigate difficult conversations with a variety of personalities and levels of management, from CEOs and CIOs to end users and vendors, are prime candidates for cybersecurity positions.
Expand the search: Jobs in cybersecurity are interesting because of the unique career paths that are not logical in any other industry. There are countless ways individuals can get started in cybersecurity, but most are unaware that cybersecurity could even be a path for them. Since banking, healthcare, and higher education all rely on cybersecurity so heavily, professionals who have a background in one of those industries may be able to transition into a job in this industry. For example, someone who knows the back-end of banking systems would be in a great position to protect them.
Also, according the National Cybersecurity Institute, women make up only 20 percent of the cybersecurity industry, which is about 30 percent lower than the number of women in the overall employed adult population. Likewise, minorities make up just 12 percent, compared to more than 30 percent of the overall working population. Considering the lack of representation among women and minorities in the cybersecurity world, it would be smart to “think outside the box” and promote outreach programs that engage this population.
Outsource: Educational institutions and universities are beginning to take notice of the increasing demand for cyber-savvy students. Some are beginning to implement programs that address the cybersecurity skills gap and expand cyber education courses in K-12 schools to create the next generation of cybersecurity talent. But experiencing the impact of these programs could take years. In the meantime, companies must have a short-term strategy for managing the talent drought. That's where outsourcing comes in. Companies are increasingly outsourcing a number of a security functions, including risk assessment and mitigation, penetration testing, network monitoring and incident response.
According to a recent study by Intel Security with the Center for Strategic and International Studies (CSIS), more than 60 percent of respondents indicated their companies outsource at least some aspect of their cybersecurity workload. In many cases, it makes complete sense, especially for small or medium-sized businesses – it's just too difficult to compete for those capabilities right now. Hiring an outside firm will not only save you money but also free up your own IT department, which most likely is already stretched too thin and unprepared from a skills standpoint to perform many of the security functions.
It's likely the skills gap in cybersecurity will widen before it begins to contract, further increasing the demand for workforce talent. However, with the right plan in place, companies can make it through one of history's worst gaps in workforce talent without suffering a business-ending data breach as they wait for cybersecurity training programs and initiatives to take root.